In the early 1990s, networks or local area networks (LANs) were used in offices, and the Internet was not widely used. Each LAN could be considered to be a closed or private intercommunication network to which the public had no access, so long as the workstations were kept in protected or secure locations and the interconnection lines or cables were not publicly accessible. In a LAN, each individual user or workstation was in communication with a server. If one of the workstations became infected with a virus, that virus, such as the “Jerusalem” virus, could infect the login.exe portion of server, which in turn would infect other workstations attempting to log onto the server after it became infected. A partial solution to the problem of viruses was to provide each workstation with its own antivirus program. This solution was imperfect, because the antivirus program could be turned off by the user of the workstation, and because the antivirus program could become out-of-date by virtue of not being updated with the latest virus information. A further improvement in addressing the problem of viruses in a LAN context was in associating a virus-identifying script file to the login process of the server.
The script file would execute each time a workstation attempted to log onto the server. Once the existence of a virus was established by the script file of the server, the infected workstation could be taken off-line or denied access to the server, and the infected login.exe program on the server was automatically erased and replaced by a stored, clean version. Operation could then continue as before, with the uninfected workstations accessing the server. If the infected workstation again attempted to log on, it would again be cut off. Eventually, maintenance personnel would examine the infected workstation and disinfect it.
In later improvements of the LAN, the login process of the server would, when a workstation attempted to log onto the server, use a script file to call or invoke the antivirus component or program of the workstation, thereby running the antivirus program in the workstation. The server would continue the logon of that particular workstation only if the workstation antivirus program returned an error level 0 signal, indicating that the workstation was clean or uninfected.
The advent of the Internet established widespread use of peer-to-peer communication among workstations or computers. In such peer-to-peer communication, the peer-to-peer structure does not allow for scripting, so an antivirus policy including running an antivirus program cannot be directly enforced, and thus there is no way for one of the workstations or computers to require execution of an antivirus program as a precondition to access to the Internet by another workstation. As a result, a workstation which became infected with a virus while connected to the Internet could, when connected to the intranet or LAN, spread the infection.
With the advent of access by way of the Internet, viruses are generally spread by email, which continues to have a client-server structure, notwithstanding the underlying peer-to-peer structure of the Internet itself. In effect, the workstation has become the “server” as to the virus, and can spread the virus to all its peers, mostly by email, but also by network shares, such as network directories.
Authentication of an Internet user attempting to access the Internet was confined to user name and password, and no authentication of the connecting platform is done. Thus, users communicating from unprotected and exposed remote sites could become infected at those remote sites and then readily spread the viruses internally to the intranet or LAN.
In order to expand the utility of LANs when the Internet became available, one or more “gateways” were connected to each LAN or intranet, which resulted in communications between the closed or private intranet and the public Internet. The server which provided the gateway received communications from the Internet in only a few protocols, so it was practical to provide antivirus programs in the gateway servers to keep the intranet “clean” or to protect it from viruses. It continued to be advisable to maintain virus protection programs operating at each workstation or client of an intranet, to take care of any viruses incidentally introduced by way of infected diskettes. The limited number of gateways or entryways between the Internet and each intranet allowed reasonable virus control, because, with a limited number of gateways, their antivirus programming could be changed in a relatively short time to adapt to a spreading virus in the Internet. By contrast, if intranet protection depended solely on the antivirus programs running in each client workstation, tens or hundreds of thousands of client workstations might need to be reprogrammed in a large intranet, which could not be accomplished in a short period of time.
With the advent of virtual private network (VPN) use, pathways or “tunnels” through the Internet have become available which provide a “direct” communication path or link between a remote client workstation (remote as to the intranet to which it connects) and the intranet providing such VPN access. The tunnel is a pathway through the Internet which is protected by encryption, and so is effectively private, even though the tunnel passes through a public cyberspace. While the intranet still requires a remote access server at a gateway in order to encrypt and decrypt information traversing a VPN, the large number of possible data formats or protocols which might be communicated over such a path makes it difficult or impossible to provide proper virus protection by use of currently available remote access servers.
The advent of VPNs for use with intranets presents various problems, which include the fact that the remote client workstation is physically removed from or outside the physically protected space associated with the intranet, and may therefore be vulnerable to use by other than the authorized user, but this problem can largely be controlled by requiring passwords to allow use of the remote workstation only by authorized personnel. However, there are additional problems relating to the workstation itself. Among these problems is that the remote client workstation is presumably used for purposes other than communication with the intranet, as for example such a workstation might be used to access the user's email on the Internet. Such access does not have the benefit of filtration by a gateway server as it would if the workstation were inside an intranet, which gives rise to the possibility that the remote workstation might become infected with a virus if its antivirus program happens to be turned off or out-of-date. This would be of little concern, except that such a remote client workstation is treated as a part of the “clean” intranet when it communicates therewith by way of a tunnel. A virus against which the antivirus protection of some, or all, of the workstations of an intranet is ineffective could spread within the intranet, even if the gateways provided between the Internet and the intranet were capable of handling the virus. Such a situation could result in the intranet becoming unusable until a large number or all of the workstations were disinfected, which could be a very long time for large intranets.
In one large intranet, several hundred instances of the Anna Kounikova virus on the intranet were traced to remote VPN users. The remote users had become infected by use of their email on the Internet, and communicated the virus to the intranet through the direct VPN path. The rapidly expanding use of VPNs makes massive infection of intranets more likely.